Establishing a voice authentication credential

ABSTRACT

This disclosure describes techniques for establishing a voice authentication credential for an authenticated user of a mobile device. In one example, a system comprises an IVR system and a computing system, where the computing system comprises processing circuitry configured to: receive, over a network, authentication data from a mobile device; authenticate, based on the authentication data, a user operating the mobile device; output, over the network and to the mobile device, instructions for communicating with the IVR system; after outputting the instructions, receive, from the IVR system, information indicating that the mobile device, operated by the user, has contacted the IVR system; communicate with the IVR system to authenticate the user of the mobile device, receive, from the IVR system, a voiceprint created by the user of the mobile device; store the voiceprint as an authentication credential for the user of the mobile device.

CROSS REFERENCE

This application is a continuation application of and claims priority toU.S. application Ser. No. 16/422,022, filed on May 24, 2019, which is acontinuation application of and claims priority to Ser. No. 15/625,766,filed on Jun. 16, 2017, now U.S. Pat. No. 10,306,061. Each of theseapplications is hereby incorporated by reference herein in its entirety.

TECHNICAL FIELD

This disclosure relates to voice authentication and telephony systems.

BACKGROUND

Voice authentication systems authenticate users based on characteristicsof users' voices. Voice authentication systems are designed to recognizeand identify the person that is speaking, based on the acoustic featuresof speech that tend to differ from person to person. In most cases,voice authentication systems authenticate users by comparing a spokenpassphrase with a voiceprint of a previously-recorded version of thesame passphrase that was generated when voice authentication credentialswere first established or later updated.

SUMMARY

This disclosure describes techniques for establishing a voiceauthentication credential for an authenticated user of a mobile device.Techniques in accordance with one or more aspects of the presentdisclosure may enable use of an interactive voice response (IVR) systemfor creating a voice authentication credential for a user of a computingdevice, such as a mobile phone. As described in one or more examples,the techniques may involve generating session data associated with acomputing device operated by an authenticated user, and based on thesession data, generating instructions for contacting an IVR system. Thecomputing device may use the instructions to contact the IVR system andauthenticate itself, and then interact with the IVR system to create avoice authentication credential. Thereafter, the computing device mayuse the voice authentication credential to access one or more servicesprovided by a computing system. In some examples in accordance with oneor more aspects of the present disclosure, an existing IVR system thatis configured to provide voice biometric services for other channels,devices, and/or situations may be leveraged and/or reused to createvoice authentication credentials for mobile phones.

In one example, this disclosure describes a method comprising:outputting, by a mobile device and over a network to a computing system,information that includes authentication information and a request toestablish a voice authentication credential for a user operating themobile device; enabling the computing system to determine, based on theauthentication information, that the mobile device is operated by anauthorized user; receiving, by the mobile device over the network,instructions for communicating with an interactive voice response (IVR)system; establishing, by the mobile device and based on theinstructions, communications with the IVR system over the network;enabling the IVR system to verify, based on the communications, that themobile device that established communications with the IVR systempreviously output the request to establish a voice authenticationcredential; detecting, by the mobile device, audio data; outputting, bythe mobile device and over the network to the IVR system, informationabout the audio data; and enabling the IVR system to create a voiceprintbased on the audio data and communicate the voiceprint to the computingsystem for use as an authentication credential.

In another example, this disclosure describes a computing devicecomprising a storage system and processing circuitry, wherein theprocessing circuitry has access to the storage system and is configuredto: output, over a network to a computing system, information thatincludes authentication information and a request to establish a voiceauthentication credential for a user operating the mobile device; enablethe computing system to determine, based on the authenticationinformation, that the mobile device is operated by an authorized user;receive, over the network, instructions for communicating with aninteractive voice response (IVR) system; establish, based on theinstructions, communications with the IVR system over the network;enable the IVR system to verify, based on the communications, that themobile device that established communications with the IVR systempreviously output the request to establish a voice authenticationcredential; detect audio data; output, over the network to the IVRsystem, information about the audio data; and enable the IVR system tocreate a voiceprint based on the audio data and communicate thevoiceprint to the computing system for use as an authenticationcredential.

In another example, this disclosure describes a computer-readablestorage medium comprising instructions that, when executed, configureprocessing circuitry of a computing system to: output, over a network toa computing system, information that includes authentication informationand a request to establish a voice authentication credential for a useroperating the mobile device; enable the computing system to determine,based on the authentication information, that the mobile device isoperated by an authorized user; receive, over the network, instructionsfor communicating with an interactive voice response (IVR) system;establish, based on the instructions, communications with the IVR systemover the network; enable the IVR system to verify, based on thecommunications, that the mobile device that established communicationswith the IVR system previously output the request to establish a voiceauthentication credential; detect audio data; output, over the networkto the IVR system, information about the audio data; and enable the IVRsystem to create a voiceprint based on the audio data and communicatethe voiceprint to the computing system for use as an authenticationcredential.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A and FIG. 1B are conceptual diagrams illustrating example systemsfor creating and using a voice authentication credential, in accordancewith one or more aspects of the present disclosure.

FIG. 2 is a block diagram illustrating an example system for creatingand using a voice authentication credential, in accordance with one ormore aspects of the present disclosure.

FIG. 3 is a flow diagram illustrating operations performed by an examplecomputing system in accordance with one or more aspects of the presentdisclosure.

DETAILED DESCRIPTION

FIG. 1A and FIG. 1B are conceptual diagrams illustrating example systemsfor creating and using a voice authentication credential, in accordancewith one or more aspects of the present disclosure. FIG. 1A illustratesone example implementation of system 100A for creating a voiceauthentication credential. FIG. 1B illustrates one exampleimplementation of system 100B for using a voice authenticationcredential. In the example of FIG. 1A, system 100A includes computingdevice 110 (e.g., a mobile phone) in communication with applicationserver 120 and a registration interactive voice response (IVR) system170. FIG. 1A further includes enrollment system 125, voice biometricservices system 180, and banking system 190. In FIG. 1A, enrollmentsystem 125 includes call routing interface (“INTF.”) 130, call routingsystem (“CALL RTE.”) 140, database services system (“DB”) 150, and IVRinterface 160. Database services system 150 includes database 151 andone or more instances of session data 152. Voice biometric servicessystem 180 includes voiceprint data store 181 and one or morevoiceprints 182. In the example of FIG. 1B, system 100B includescomputing device 110 in communication with application server 120, andapplication server 120 in communication with voice biometric servicessystem 180. In accordance with one or more aspects of the presentdisclosure, other implementations of system 100A and/or system 100B maybe appropriate in other instances. Such implementations may include asubset of the components included in the examples of FIG. 1A and FIG. 1Band/or may include additional components not shown in FIG. 1A or FIG.1B.

Although functions and operations described in connection with FIG. 1Aand FIG. 1B may be illustrated as being distributed across multipledevices, in other examples, the features and techniques attributed toone or more devices in FIG. 1A and/or FIG. 1B may be performedinternally, by local components of one or more of such devices.Similarly, one or more of such devices may include certain componentsand perform various techniques that may otherwise be attributed in thedescription herein to one or more other devices. Further, certainoperations, techniques, features, and/or functions may be described inconnection with FIG. 1A and/or FIG. 1B or otherwise as performed byspecific components, devices, and/or modules. In other examples, suchoperations, techniques, features, and/or functions may be performed byother components, devices, or modules. Accordingly, some operations,techniques, features, and/or functions attributed to one or morecomponents, devices, or modules may be alternatively attributed to othercomponents, devices, and/or modules, even if not specifically describedherein in such a manner.

In some examples, computing device 110 interacts with database servicessystem 150 to enable computing device 110 to establish communicationswith IVR system 170 as an authorized user, thereby enabling computingdevice 110 to establish a voice authentication credential using IVRsystem 170. For instance, in the example of FIG. 1A, computing device110 communicates with database services system 150 through applicationserver 120, call routing interface 130, call routing system 140, andthen to database services system 150 to store session data 152. Databaseservices system 150 then issues instructions to computing device 110that enable computing device 110 to contact IVR system 170. Computingdevice 110 contacts IVR system 170 and identifies itself to IVR system170. IVR system 170 interacts with database services system 150, throughIVR interface 160, to verify that computing device 110 is the samedevice that interacted with database services system when session data152 was previously stored. Once verified, computing device 110 mayinteract with IVR system 170 to establish a voice authenticationcredential. Once the credential is established, computing device 110 maythereafter authenticate with application server 120 using the voiceauthentication credential.

In FIG. 1A, computing device 110 is a mobile phone, but computing device110 may be implemented as any suitable computing system, such as amobile, non-mobile, wearable, and/or non-wearable computing device.Computing device 110 may therefore represent any computing device thatperforms operations described herein as the result of instructions,stored on a computer-readable storage medium, executing on one or moreprocessors. The instructions may be in the form of software stored onone or more local or remote computer readable storage devices. In otherexamples, computing device 110 may perform operations using hardware,firmware, or a mixture of hardware, software, and firmware residing inand/or executing at computing device 110. If not implemented as a mobilephone, computing device 110 may represent a tablet computer, acomputerized watch, a computerized glove or gloves, a personal digitalassistant, a virtual assistant, a gaming system, a media player, ane-book reader, a television or television platform, a bicycle,automobile, or navigation, information and/or entertainment system for abicycle, automobile or other vehicle, an Internet of Things (IOT)device, a laptop or notebook computer, a desktop computer, or any othertype of wearable, non-wearable, mobile, or non-mobile computing devicethat may perform operations in accordance with one or more aspects ofthe present disclosure. Further, although computing device 110 may be astand-alone device, computing device 110 may be implemented in any of awide variety of ways. For example, computing device 110 may beimplemented through multiple devices and/or systems. In another example,computing device 110 may be, or may be part of, any component, device,or system that includes a processor or other suitable computingenvironment for processing information or executing softwareinstructions.

Computing device 110 may serve as a computing device that enables a userto interact with, browse, and/or use information or resources availableover a network. For instance, computing device 110 may, at the directionof a user, browse for information, communicate with others, engage inmobile banking operations, perform calculations, analyze data, monitoror check or process a user's personal communications, control otherdevices, perform a physical task or cause one to be performed, accessother information or resources, and/or perform financial relatedoperations and/or tasks. Computing device 110 may pair with and/orcommunicate with other devices, and may send control signals to otherdevices or systems.

One or more application servers 120 may represent a system that operatesto perform functions on behalf of one or more computing devices 110,such as mobile phones. Application server 120 may be implemented throughany suitable computing system, such as one or more server computers,mainframes, workstations, cloud computing systems, server farms, orserver clusters. In the example of FIG. 1A, application server 120 is amobile application server device capable of performing functions onbehalf of one or more mobile phones, smartphones, or other mobilecomputing devices. Application server 120 may be operated or controlledby a service provider, a financial institution, and/or other entity, andmay, for example, provide mobile banking or financial services.

Call routing interface 130 may represent an interface to call routingsystem 140, and may interact with call routing system 140 and cause callrouting system 140 to perform functions on behalf of call routinginterface 130 and/or application server 120. In some examples, callrouting interface 130 may be implemented using, for example, a CafeXMobile Advisor solution from CafeX Communications, Inc. Also, in someexamples, application server 120 may communicate with call routinginterface 130 through Java application programming interface (API) callsor through another interface or API. Other possible implementations forcall routing interface 130 are contemplated, and may be suitable forperforming functions, tasks, or operations pertaining to one or moreaspects of the present disclosure. In some examples, call routinginterface 130 may receive a signal from application server 120initiating a process to establish a voice authentication credential foran authenticated user (e.g., a user of computing device 110). Callrouting interface 130 may send information to call routing system 140including information about computing device 110 and/or a user ofcomputing device 110.

Call routing system 140 may represent a call routing system or callcenter system that may operate and/or perform functions in response tointeractions with call routing interface 130 or other devices or systemsof system 100A. In some examples, call routing system 140 may beimplemented using call routing solutions available through GenesysTelecommunications Laboratories. In some examples, call routing system140 may receive, from call routing interface 130, information aboutcomputing device 110 and/or a user of computing device 110. Call routingsystem 140 may generate a phone number that computing device 110 may useto contact IVR system 170, and may associate with the phone number anexpiration time. Call routing system 140 may communicate information todatabase services system 150 that database services system 150 may storeas session data 152.

Database services system 150 may perform data storage related functions,including storing session data 152 within database 151. Databaseservices system 150 may generate a one-time passcode for use bycomputing device 110. Database services system 150 may also extract frominformation received from call routing system 140 a device identifierassociated with computing device 110. Database services system 150 may,generally, collect and aggregate session data 152 for computing device110, and similar session data for one or more additional computingdevices 110 operated by other users. Database services system 150 mayissue instructions to computing device 110 for interacting with IVRsystem 170. Database services system 150 may authorize requests by IVRsystem 170, received through IVR interface 160, to authenticate and/orapprove of interactions with IVR system 170 by one or more computingdevices 110. Alternatively, database services system 150 may sendinformation to IVR system 170 through IVR interface 160 (or provideaccess to such information), and thereby enable IVR system 170 to verifythe identity and/or authenticity of one or more computing devices 110.

IVR interface 160 may provide an interface between database servicessystem 150 and IVR system 170. In some examples, IVR interface 160 isimplemented as a routing web services platform that communicatesrequests, by IVR system 170, to authenticate or verify informationreceived from computing device 110 by IVR system 170. IVR interface 160may receive from database services system 150 a signal that IVRinterface 160 routes to IVR system 170 indicating whether informationreceived from computing device 110 by IVR system 170 matches sessiondata 152 established for computing device 110.

IVR system 170 may represent an interactive voice response (IVR) systemthat performs voice authentication enrollments and/or registers users ofcomputing devices 110 to use voice biometric authentication credentials.In that sense, IVR system 170 may be considered a registration IVR. Insome examples, IVR system 170 may be configured to interact with humansthrough the use of voice and dual tone multi frequency (DTMF) tones,often generated as a result of keypad input. IVR system 170 enables ahuman to interact with voice biometric services system 180 throughkeypad input or by speech recognition or through other means. IVR system170 may, for example, enable a user of computing device 110 to establisha voice authentication credential. IVR system 170 may also be capable ofperforming call routing services. For instance, in some examples, IVRsystem 170 may route a call to a live person when requested by a user orwhen user actions suggest that interactions with a live person areappropriate (e.g., a user having difficulty establishing a voiceauthentication credential).

Voice biometric services system 180 may perform functions relating toestablishing a voiceprint for use with a voice authentication services.Voice biometric services system 180 may receive information about audiodetected by a computing device or mobile phone, and may analyze theaudio to determine whether the audio is appropriate for use as avoiceprint. Voice biometric services system 180 may use audioinformation to create voiceprints and may store such voiceprints withinvoiceprint data store 181 as one or more voiceprints 182. Voicebiometric services system 180 may determine whether audio datacorresponds and/or matches one or more voiceprints stored withinvoiceprint data store 181. Voice biometric services system 180 mayoutput signals (e.g., to application server 120 and/or to IVR system170) that indicate whether audio input corresponds to one or morevoiceprints stored within voiceprint data store 181. In some examples,voice biometric services system 180 may, over time, update any storedvoiceprints 182 to take into account changes in a user's voice orchanges in equipment (e.g., improved audio input capability) that a usermay use to capture audio data corresponding to an uttered passphrase.Voiceprint data store 181 may be searchable and/or categorized such thata device, module, or system may provide input requesting informationfrom voiceprint data store 181, and in response to the input, receiveinformation stored within voiceprint data store 181.

In some examples, IVR system 170 in combination with voice biometricservices system 180 may serve as a single and/or central point of voicebiometric authentication enrollment for multiple channels. For instance,IVR system 170 and voice biometric services system 180 may provide voicebiometric enrollment services for other systems or interactive voiceresponse systems, such as those used by a bank to enable customers toaccess financial and/or banking records. Aspects of IVR system 170 andvoice biometric services system 180 may also be used to provideenrollment services for a voice authentication credential that is usedby computing devices 110 that access authenticated services throughapplication server 120. In this way, an existing voice biometricenrollment system, which may be represented by IVR system 170 and voicebiometric services system 180, can be used for voice biometricauthentication enrollment for users of computing device 110.

Banking system 190 may represent one or more systems providing servicesto one or more computing devices 110. In some examples, banking system190 may represent a system that provides access to financial informationto authenticated users of computing devices 110. For instance, a user ofcomputing device 110 may, upon establishing a voice authenticationcredential and authenticating with the credential, access bankingrecords and/or perform online banking tasks by providing input tocomputing device 110. Although aspects of this disclosure are describedin terms of a banking context, it should be understood that many aspectsof the present disclosure are also applicable to other contexts outsideof banking and financial services.

In the example of FIG. 1A, and in accordance with one or more aspects ofthe present disclosure, application server 120 may authenticate a userof computing device 110. For instance, in the example of FIG. 1A,computing device 110 detects input that it determines corresponds to arequest to interact with application server 120. Computing device 110presents user interface 112, and in response, detects input. In someexamples, the input detected corresponds to a username and passwordassociated with computing device 110 generally or, alternatively, with aspecific application executing on computing device 110. Computing device110 sends a signal to application server 120. Application server 120receives the signal and determines that the signal corresponds to arequest to authenticate a user. Application server 120 may furtherdetermine that the signal includes authentication credentials (e.g., theusername and password) for a user of computing device 110. Applicationserver 120 determines that the authentication request and authenticationcredentials correspond to a valid user of computing device 110.Application server 120 may further communicate with computing device 110and establish a session for the authenticated user at computing device110.

Computing device 110 may cause database services system 150 to generateand/or store session data 152. For instance, in the example of FIG. 1A,computing device 110 presents user interface 114, prompting a user toenroll in voice biometric authentication services. After presenting userinterface 114, computing device 110 detects input that it determinescorresponds to interaction with button 115 within user interface 114.Computing device 110 sends a signal to application server 120.Application server 120 receives the signal and determines that thesignal corresponds to a request to establish a voice authenticationcredential. Application server 120 outputs a signal to call routinginterface 130, including information about computing device 110 and/or auser of computing device 110, and initiating a process to establish avoice authentication credential for the authenticated user of computingdevice 110. In some examples, the signal sent by application server 120to call routing interface 130 may be in the form of a Cisco Java APIcall to call routing interface 130.

Call routing interface 130 receives the signal, and determines that thesignal corresponds to a request, by application server 120, to generatecall routing instructions to enable an authenticated user of computingdevice 110 to interact with IVR system 170 and thereby set up a voiceauthentication credential. Call routing interface 130 sends a signal tocall routing system 140, including information about computing device110 and/or a user of computing device 110, and requesting that callrouting system 140 generate call routing instructions. Call routingsystem 140 outputs to database services system 150 a signal to initiategeneration and/or extraction of session data for use in laterverification of computing device 110 for IVR system 170. Databaseservices system 150 generates a one-time passcode for use by a user ofcomputing device 110, and extracts from information received from callrouting system 140 a mobile device identifier associated with computingdevice 110. Database services system 150 stores session data 152associated with computing device 110 in database 151. In some examples,the one-time passcode may act as the primary key for storage of mobilesession data within a relational database represented by database 151.Session data 152 may include the one-time passcode generated by databaseservices system 150, the device identifier associated with computingdevice 110, and/or other information associated with the authenticatedmobile session established between computing device 110 and applicationserver 120.

Database services system 150 may issue instructions to computing device110 that enable computing device 110 to interact with IVR system 170 asan authenticated device. For instance, in the example of FIG. 1A,database services system 150 sends a signal to call routing system 140including at least some of session data 152 stored by database servicessystem 150. Call routing system 140 receives the signal from databaseservices system 150, and in response, generates a phone number (e.g., a1-800 phone number) that computing device 110 may use to contact IVRsystem 170. Call routing system 140 may also associate, store, and/orinclude an expiration time with the phone number and/or session data 152received from database services system 150. In some examples, sessiondata 152 stored by database services system 150 may be time-limited, sothat if computing device 110 does not establish a voice authenticationcredential within a certain time period, some or all of session data 152expires, and can no longer be used to establish a voice authenticationcredential. Call routing system 140 may send, to call routing interface130, the phone number generated by call routing system 140 along with atleast some of session data 152. Call routing interface 130 receives theinformation from call routing system 140, and outputs to applicationserver 120 information derived from the information received from callrouting system 140. Application server 120 receives information fromcall routing interface 130 and generates instructions based on theinformation received from call routing interface 130. Application server120 outputs the instructions to computing device 110.

Computing device 110 may use the instructions to establishcommunications with IVR system 170 as an authenticated device. Forinstance, in the example of FIG. 1A, computing device 110 receives theinstructions from application server 120 and determines that theinstructions include information for contacting IVR system 170. In someexamples, the instructions include a phone number for contacting IVRsystem 170 and a one-time passcode included within session data 152.Computing device 110 initiates a phone call to IVR system 170 using thephone number received from application server 120. In some examples,computing device 110 initiates the phone call over a public switchedtelephone network, a cellular phone network, or other voice-orientednetwork to IVR system 170.

IVR system 170 receives the phone call, and establishes communicationwith computing device 110. Computing device 110 communicates to IVRsystem 170 the device identifier associated with computing device 110and also the one-time passcode included in session data 152. In someexamples, the device identifier and/or the one-time passcode areautomatically communicated to IVR system 170 by computing device 110using DTMF tones during the call session between computing device 110and IVR system 170. IVR system 170 receives the device identifier andthe one-time passcode from computing device 110. In response, IVR system170 sends a signal to database services system 150 through IVR interface160. Database services system 150 receives the signal, and determinesthat the signal corresponds to a request to verify that a user ofcomputing device 110 is authorized to create a voice-basedauthentication credential. Database services system 150 may furtherdetermine that the signal includes a device identifier and a passcode.Database services system 150 authorizes the request by comparing thedevice identifier and the passcode received from IVR system 170 with theinformation in session data 152. If database services system 150determines that the information matches, database services system 150outputs a signal to IVR system 170 through IVR interface 160. IVR system170 receives the signal and determines that the signal corresponds to anindication that computing device 110 is the same device that initiated arequest to establish a voice authentication credential. In someexamples, database services system 150 sends such a signal to enable IVRsystem 170 to establish a voice authentication credential for the userof computing device 110; in at least some cases, IVR system 170 mightnot establish a voice authentication credential without receipt of sucha signal. Alternatively, in some examples, database services system 150may enable IVR system 170 to establish a voice authentication credentialby providing, to IVR system 170, access to database 151 through IVRinterface 160, so that IVR system 170 may perform any comparison and/orverification operations itself.

After establishing that computing device 110 is the same device thatinitiated the request to establish a voice authentication credential,and during the call session between computing device 110 and IVR system170, IVR system 170 may establish a voice authentication credential fora user of computing device 110. For instance, in the example of FIG. 1A,IVR system 170 outputs a signal to computing device 110. Computingdevice 110 receives the signal and determines that the signalcorresponds to information sufficient to generate a user interface.Computing device 110 generates a user interface and presents it to auser of computing device 110. In some examples, the user interface issimply an audio prompt, and may, for example, prompt a user of computingdevice 110 to say a passphrase that can be used to generate voicebiometric print. In other examples, the user interface mayalternatively, or in addition, include a visual prompt presented at adisplay screen associated with computing device 110 (e.g., userinterface 116). In the example of FIG. 1A, a user of computing device110 is prompted to say a passphrase. Computing device 110 receives inputthat it determines corresponds to an audio response to the prompt.Computing device 110 outputs to IVR system 170 an indication of theaudio response. IVR system 170 receives the indication of the audioresponse, and outputs to voice biometric services system 180 informationabout the audio response. Voice biometric services system 180 receivesthe information about the audio response, and determines whether theaudio response is sufficient to create a voiceprint. In the exampleillustrated in FIG. 1A, voice biometric services system 180 determinesthat the audio response is sufficient to create a voiceprint, so voicebiometric services system 180 creates voiceprint 182 for the user ofcomputing device 110, and stores it within voiceprint data store 181 ofvoice biometric services system 180. Computing device 110 may presentuser interface 118.

In some examples, IVR system 170 may cause computing device 110 toprompt a user of computing device 110 to repeat a passphrase more thanone time (e.g., three times) to ensure that aspects of the voiceprintare analyzed and/or recorded properly. Further, IVR system 170 may causecomputing device 110 to prompt a user of computing device 110 to say astandard passphrase that may be the same passphrase used by others whengenerating a voiceprint. For instance, one common passphrase is “myvoice is my password, please verify me.” In some systems, most or allusers perform voice authentication by uttering this same phrase.

Once voiceprint 182 has been established as described above, laterauthentication of the user operating computing device 110 may beperformed by application server 120 interacting directly with voicebiometric services system 180. In some examples, as shown in FIG. 1B,enrollment system 125 and IVR system 170 might not be needed toauthenticate a user of computing device 110.

Accordingly, a user of computing device 110 may authenticate withapplication server 120 using the voice authentication credentialestablished at voice biometric services system 180. For instance, in theexample of FIG. 1B, computing device 110 detects input that itdetermines corresponds to a request to interact with application server120. Computing device 110 presents a user interface prompting a user tosay a passphrase, and in response, detects audio input. In someexamples, such a user interface is a visual prompt (e.g., user interface119), and in other examples, such a user interface is alternatively, orin addition, an audio prompt. Computing device 110 outputs toapplication server 120 an indication of audio input. Application server120 receives the indication of audio input, and determines that theaudio input corresponds to a request to authenticate using voicebiometrics. Application server 120 outputs information about the audioinput to voice biometric services system 180. Voice biometric servicessystem 180 evaluates the audio input and determines that the audio inputcorresponds to the passphrase uttered by the user of computing device110 when establishing voiceprint 182. Voice biometric services system180 sends a signal to application server 120. Application server 120receives the signal and determines that the signal indicates that theuser of computing device 110 has been authenticated. Application server120 may further determine that the signal includes informationidentifying the authenticated user. Application server 120 and computingdevice 110 further communicate and establish a session for theauthenticated user at computing device 110. Computing device 110 maythereafter send signals to application server 120 in response to inputdetected by computing device 110, and application server 120 may, inresponse to such signals, perform services (e.g., banking or otherservices) on behalf of the authenticated user of computing device 110.For instance, application server 120 and/or voice biometric servicessystem 180 may communicate with banking system 190 to provide financialservices to a user of computing device 110.

By enabling an IVR environment to be used to establish a voiceauthentication credential for a user that is authenticated through amobile computing device, system 100A may take advantage of existingvoice authentication registration IVR systems that are reliably used forcreating voice authentication credentials for other channels andapplications. By using existing voice authentication registration IVRsystems, system 100A may gain benefits of using a single and/orcentralized voice biometrics enrollment environment for multiplechannels, devices, applications, and environments. For instance, asingle and/or centralized enrollment environment may be easier tomaintain than multiple enrollment environments. Further, with only oneenrollment environment, more resources can be devoted to improving theoperation and ensuring the security of the enrollment environment thanif there were multiple enrollment environments needed to be developedand maintained. Accordingly, as a result of enabling a userauthenticated through a mobile device to create an authenticationcredential using an existing IVR environment, system 100A and/or system100B may be more reliable and more secure. Therefore, aspects of thisdisclosure may improve the function of system 100A and system 100B (oraspects of or systems within such systems) because using a centralizedor single enrollment environment may have the effect of improving thesecurity and/or operation of system 100A and system 100B.

FIG. 2 is a block diagram illustrating an example system for creatingand using a voice authentication credential, in accordance with one ormore aspects of the present disclosure. System 200 of FIG. 2 may bedescribed as an example or alternate implementation of system 100A ofFIG. 1A and/or system 100B of FIG. 1B. One or more aspects of FIG. 2 maybe described herein within the context of system 100A of FIG. 1A and/orsystem 100B of FIG. 1B. FIG. 2 illustrates one example implementation ofsystem 200. Other example implementations of system 200 may beappropriate in other instances. Such implementations may include asubset of the devices and/or components included in the example of FIG.2 and/or may include additional devices and/or components not shown inFIG. 2.

System 200 and devices illustrated as part of system 200 in FIG. 2 maybe implemented in a number of different ways. In some examples, one ormore devices of system 200 that are illustrated as separate devices maybe implemented as a single device; one or more components of system 200that are illustrated as separate components may be implemented as asingle component. Also, in some examples, one or more devices of system200 that are illustrated as a single device may be implemented asmultiple devices; one or more components of system 200 that areillustrated as a single component may be implemented as multiplecomponents. Further, one or more devices or components of system 200that are illustrated in FIG. 2 may be implemented as part of anotherdevice or component not shown in FIG. 2. Some of the functions describedherein may be performed via distributed processing by two or moredevices.

In the example of FIG. 2, system 200 includes one or more computingdevices 210 in communication, via network 201, with computing system240, voice biometric services system 180, and IVR system 170. As shownin FIG. 2, computing device 210 may alternatively, or in addition,communicate with IVR system 170 over voice-oriented network 203.

In FIG. 2, IVR system 170 and voice biometric services system 180 maycorrespond to IVR system 170 and voice biometric services system 180 ofFIG. 1A. Computing device 210 of FIG. 2 may correspond to computingdevice 110 of FIG. 1A and FIG. 1B, and may be implemented in a mannerconsistent with the description of computing device 110 provided inconnection with FIG. 1A and FIG. 1B. For ease of illustration, only onecomputing device 210 is illustrated in FIG. 2, although techniques inaccordance with one or more aspects of this disclosure may be performedwith many computing devices 210.

Also, in FIG. 2, computing system 240 may generally correspond to acombined application server 120 and enrollment system 125, and mayperform some of the same functions described in connection with FIG. 1Aas having been performed by application server 120 and/or enrollmentsystem 125. Although illustrated as a single device in FIG. 2, computingsystem 240 may be implemented as a number of separate devices or systems(e.g., as in FIG. 1A), or as part of another system. In some examples,some or all of the functionality provided by computing system 240 may beprovided by a public or private cloud system, server farm, or servercluster (or portion thereof).

Network 201 may be the internet, or may include or represent any publicor private communications network or other network. For instance,network 201 may be a cellular, Wi-Fi®, ZigBee, Bluetooth, Near-FieldCommunication (NFC), satellite, enterprise, service provider, and/orother type of network enabling transfer of transmitting data betweencomputing systems, servers, and computing devices. One or more of clientdevices, server devices, or other devices may transmit and receive data,commands, control signals, and/or other information across network 201using any suitable communication techniques. Network 201 may include oneor more network hubs, network switches, network routers, satellitedishes, or any other network equipment. Such devices or components maybe operatively inter-coupled, thereby providing for the exchange ofinformation between computers, devices, or other components (e.g.,between one or more client devices or systems and one or more serverdevices or systems). Each of the devices or systems illustrated in FIG.2 may be operatively coupled to network 201 using one or more networklinks. The links coupling such devices or systems to network 201 may beEthernet, Asynchronous Transfer Mode (ATM) or other types of networkconnections, and such connections may be wireless and/or wiredconnections. One or more of the devices or systems illustrated in FIG. 2or otherwise on network 201 may be in a remote location relative to oneor more other illustrated devices or systems.

Voice-oriented network 203 may represent a collection of interconnectednetworks that primarily carry voice traffic. In some examples,voice-oriented network 203 may represent a public switched telephonenetwork (PSTN) that is used by one or more computing devices 110 toconnect to, communicate with, and interact with IVR system 170.Voice-oriented network 203 may represent a collection of networks thatmay be public, private, commercial, and/or government-owned. Althoughillustrated in FIG. 2 as being separate from network 201, in otherexamples, voice-oriented network 203 may be part of network 201, or maybe considered to be part of network 201.

Computing system 240 may be implemented as any suitable computingsystem, such as one or more server computers, workstations, mainframes,appliances, cloud computing systems, and/or other computing systems thatmay be capable of performing operations and/or functions described inaccordance with one or more aspects of the present disclosure. In someexamples, computing system 240 represents a cloud computing system,server farm, and/or server cluster (or portion thereof) that providesservices to client devices and other devices or systems. For example,computing system 240 may host or provide access to services provided byone or more modules (e.g., authentication module 252, enrollment module254, and banking module 258) of computing system 240. Client devices(e.g., one or more computing devices 110) may communicate with computingsystem 240 over network 201 to access services provided by one or moremodules of computing system 240. Computing system 240 may provide, forinstance, authentication, banking, financial, and/or other services inresponse to input received from one or more client devices.

Although computing system 240 of FIG. 2 may be a stand-alone device, oneor more computing systems 240 may be implemented in any of a widevariety of ways, and may be implemented using multiple devices and/orsystems. In some examples, one or more computing systems 240 may be, ormay be part of, any component, device, or system that includes aprocessor or other suitable computing environment for processinginformation or executing software instructions and that operates inaccordance with one or more aspects of the present disclosure. In someexamples, computing system 240 may be fully implemented as hardware inone or more devices or logic elements.

In the example of FIG. 2, computing system 240 may include power source241, one or more processors 243, one or more communication units 245,one or more input/output devices 247, and one or more storage devices250. Storage device 250 may include authentication module 252,enrollment module 254, session data 256, and banking module 258. One ormore of the devices, modules, storage areas, or other components ofcomputing system 240 may be interconnected to enable inter-componentcommunications (physically, communicatively, and/or operatively). Insome examples, such connectivity may be provided by throughcommunication channels (e.g., communication channels 242), a system bus,a network connection, an inter-process communication data structure, orany other method for communicating data.

Power source 241 may provide power to one or more components ofcomputing system 240. In some examples, power source 241 may receivepower from the primary alternative current (AC) power supply in abuilding, home, or other location. In other examples, power source 241may be or may include a battery.

One or more processors 243 of computing system 240 may implementfunctionality and/or execute instructions associated with computingsystem 240 or associated with one or more modules illustrated hereinand/or described below. One or more processors 243 may be, may be partof, and/or may include processing circuitry that performs operations inaccordance with one or more aspects of the present disclosure. Examplesof processors 243 include microprocessors, application processors,display controllers, auxiliary processors, one or more sensor hubs, andany other hardware configured to function as a processor, a processingunit, or a processing device. Computing system 240 may use one or moreprocessors 243 to perform operations in accordance with one or moreaspects of the present disclosure using software, hardware, firmware, ora mixture of hardware, software, and firmware residing in and/orexecuting at computing system 240.

One or more communication units 245 of computing system 240 maycommunicate with devices external to computing system 240 bytransmitting and/or receiving data, and may operate, in some respects,as both an input device and an output device. In some examples,communication unit 245 may communicate with other devices over anetwork. In other examples, communication units 245 may send and/orreceive radio signals on a radio network such as a cellular radionetwork. In other examples, communication units 245 of computing system240 may transmit and/or receive satellite signals on a satellite networksuch as a Global Positioning System (GPS) network. Examples ofcommunication units 245 include a network interface card (e.g. such asan Ethernet card), an optical transceiver, a radio frequencytransceiver, a GPS receiver, or any other type of device that can sendand/or receive information. Other examples of communication units 245may include devices capable of communicating over Bluetooth®, GPS, NFC,ZigBee, and cellular networks (e.g., 3G, 4G, 5G), and Wi-Fi® radiosfound in mobile devices as well as Universal Serial Bus (USB)controllers and the like. Such communications may adhere to, implement,or abide by appropriate protocols, including Transmission ControlProtocol/Internet Protocol (TCP/IP), Ethernet, Bluetooth, NFC, or othertechnologies or protocols.

One or more input/output devices 247 may represent any input or outputdevices of computing system 240 not otherwise separately describedherein. One or more input/output devices 247 may generate, receive,and/or process input from any type of device capable of detecting inputfrom a human or machine. One or more input/output devices 247 maygenerate, present, and/or process output through any type of devicecapable of producing output.

One or more storage devices 250 within computing system 240 may storeinformation for processing during operation of computing system 240.Storage devices 250 may store program instructions and/or dataassociated with one or more of the modules described in accordance withone or more aspects of this disclosure. One or more processors 243 andone or more storage devices 250 may provide an operating environment orplatform for such modules, which may be implemented as software, but mayin some examples include any combination of hardware, firmware, andsoftware. One or more processors 243 may execute instructions and one ormore storage devices 250 may store instructions and/or data of one ormore modules. The combination of processors 243 and storage devices 250may retrieve, store, and/or execute the instructions and/or data of oneor more applications, modules, or software. Processors 243 and/orstorage devices 250 may also be operably coupled to one or more othersoftware and/or hardware components, including, but not limited to, oneor more of the components of computing system 240 and/or one or moredevices or systems illustrated as being connected to computing system240.

In some examples, one or more storage devices 250 are temporarymemories, meaning that a primary purpose of the one or more storagedevices is not long-term storage. Storage devices 250 of computingsystem 240 may be configured for short-term storage of information asvolatile memory and therefore not retain stored contents if deactivated.Examples of volatile memories include random access memories (RAM),dynamic random access memories (DRAM), static random access memories(SRAM), and other forms of volatile memories known in the art. Storagedevices 250, in some examples, also include one or morecomputer-readable storage media. Storage devices 250 may be configuredto store larger amounts of information than volatile memory. Storagedevices 250 may further be configured for long-term storage ofinformation as non-volatile memory space and retain information afteractivate/off cycles. Examples of non-volatile memories include magnetichard disks, optical discs, floppy disks, Flash memories, or forms ofelectrically programmable memories (EPROM) or electrically erasable andprogrammable (EEPROM) memories.

Authentication module 252 may perform functions relating toauthenticating a user of computing device 210. Authentication module 252may receive authentication credentials from one or more users ofcomputing devices 210. In some examples, the authentication credentialsmay be a username and password combination, and in other examples, theauthentication credentials may include a voiceprint or audio datagenerated as a result of a user of computing device 210 uttering apassphrase. Authentication module 252 may evaluate the authenticationcredentials, identify the user, and establish a session with one or morecomputing devices 110. Although authentication module 252 may bedescribed in connection with FIG. 2 as primarily performingauthentication operations, authentication module 252 may also performoperations relating to voice biometric services enrollment of one ormore users of computing devices 210.

Enrollment module 254 may perform functions relating to establishing anauthentication credential for one or more users of computing device 210.In some examples, enrollment module 254 generates session data 256 for auser of computing device 210. Enrollment module 254 may use session data256 to generate instructions that enable computing device 210 to contactand interact with IVR system 170. IVR system 170 may, in response tosuch interaction, communicate with enrollment module 254 to verify thatcommunications received by IVR system 170 are from computing device 210,thereby authenticating a user of computing device 210 for IVR system170.

Session data 256 may include information derived from or generated basedon information received in communications with one or more computingdevices 210. For instance, in some examples, session data 256 mayinclude a device identifier associated with computing device 210, apasscode associated with the session with computing device 210, and aphone number that computing device 210 may use to contact IVR system170. Session data 256 may be created and updated by enrollment module254, and may be time-limited and/or subject to an expiration time.Enrollment module 254 may access session data 256 and compareinformation received from IVR system 170 to session data 256 to identifyand/or verify one or more computing devices 210 that have communicatedwith IVR system 170 seeking to establish a voice authenticationcredential.

Banking module 258 may perform functions and/or services relating tobanking and/or providing banking information. For example, bankingmodule 258 may access financial information for an authenticated user ofcomputing device 210 (or other client device) in response to a requestreceived from computing device 210. Banking module 258 may access suchinformation within computing system 240, or may access such informationthrough another system over a network. Banking module 258 may causecommunication unit 245 to send information to computing device 210 thatcomputing device 210 uses to generate a user interface for presentationat computing device 210. Such a user interface may include bankinginformation relating to the authenticated user of computing device 210.Banking module 258 may receive, from computing device 210 an indicationof input that banking module 258 determines corresponds to a request toperform a banking function and/or banking service. Banking module 258may, in response to such a request, interact with one or more othermodules or computing devices to perform the requested function.

In the example of FIG. 2, computing device 210 may represent an exampleof one of a number of computing devices 210 that may interact withcomputing system 240 and/or other systems illustrated in FIG. 2 inaccordance with one or more aspects of the present disclosure. Computingdevice 210 of FIG. 2 may include power source 211, one or moreprocessors 213, one or more communication units 215, one or moreinput/output devices 217, one or more user interface devices 221, andone or more storage devices 230. User interface device 221 may includeone or more displays 223, one or more presence-sensitive panels 225, oneor more audio input devices 227, and one or more audio output devices229. Storage 230 may include user interface module 231, authenticationmodule 232, and application modules 239. One or more of the devices,modules, storage areas, or other components of computing device 210 maybe interconnected to enable inter-component communications (physically,communicatively, and/or operatively). In some examples, suchconnectivity may be provided by through communication channels (e.g.,communication channels 212), a system bus, a network connection, aninter-process communication data structure, or any other method forcommunicating data.

Power source 211 may provide power to one or more components ofcomputing device 210. Power source 211 may be a battery. Power source211 may have intelligent power management or consumption capabilities,and may such features may be controlled, accessed, or adjusted by one ormore modules of computing device 210 and/or by one or more processors213 to intelligently consume, allocate, supply, or otherwise managepower.

One or more processors 213 of computing device 210 may implementfunctionality and/or execute instructions associated with computingdevice 210 or associated with one or more modules illustrated hereinand/or described below. One or more processors 213 may be, may be partof, and/or may include processing circuitry that performs operations inaccordance with one or more aspects of the present disclosure.

One or more communication units 215 of computing device 210 maycommunicate with devices external to computing device 210 bytransmitting and/or receiving data, and may operate, in some respects,as both an input device and an output device. In some examples,communication unit 215 may communicate with other devices over a network(e.g., network 201). In other examples, communication units 215 may sendand/or receive radio signals on a radio network such as a cellular radionetwork or over a voice-oriented public telephone network (e.g.,voice-oriented network 203).

One or more input/output devices 217 may represent any input or outputdevices of computing device 210 not otherwise separately describedherein. One or more input/output devices 217 may generate, receive,and/or process input from any type of device capable of detecting inputfrom a human or machine; one or more input/output devices 217 maygenerate, present, and/or process output through any type of devicecapable of producing output. Some devices may serve as input devices,some devices may serve as output devices, and some devices may serve asboth input and output devices.

User interface device 221 may function as an input and/or output deviceor set of input/output devices for computing device 210, and may beimplemented using various devices, components, and/or technologies. Userinterface device 221 may include presence-sensitive input paneltechnologies, microphone technologies, voice activation and/orrecognition technologies, cameras, sensor technologies (e.g., infrared,image, location, motion, accelerometer, gyrometer, magnetometer), orother input device technology for use in receiving user input; userinterface device 221 may include display devices, speaker technologies,haptic feedback technologies, tactile feedback technologies, lightemitting technologies, or other output device technologies for use inoutputting information to a user.

In the example of FIG. 2, user interface device 221 includes one or moredisplays 223, one or more presence-sensitive panels 225, one or moreaudio input devices 227, and one or more audio output devices 229.Although certain components associated with computing device 210 aredescribed or illustrated in FIG. 2 as being implemented within userinterface device 221, in other examples, such components could beimplemented external to user interface device 221, and other componentscould be implemented within user interface device 221. Further, whileillustrated as an internal component of computing device 210, userinterface device 221 may also represent an external or partiallyexternal component that shares a data path with computing device 210 fortransmitting and/or receiving input and output. For instance, in someexamples, user interface device 221 represents a built-in component ofcomputing device 210 located within and physically connected to theexternal packaging of computing device 210 (e.g., a screen on a mobilephone). In other examples, user interface device 221 represents anexternal component of computing device 210 located outside andphysically separated from the packaging or housing of computing device210 (e.g., a monitor, a projector, etc. that shares a wired and/orwireless data path with computing device 210). In still other examples,one or more components of user interface device 221 may be built-incomponents of computing device 210, and one or more components of userinterface device 221 may be external components of computing device 210(e.g., some components of user interface device 221 may be internal, andothers may be external). Further, one or more components of userinterface device 221 may be integrated together, so that one componentis or appears to be a built-in component of another.

For instance, display 223 may integrated with presence-sensitive panel225, so that user interface device 221 includes or operates as atouch-sensitive or presence-sensitive display screen. In such animplementation, user interface device 221 may receive indications oftactile input by detecting one or more gestures from a user (e.g., theuser touching or pointing to one or more locations of display 223 with afinger or a stylus pen). User interface device 221 may present output toa user as a graphical user interface at display 223. For example, userinterface device 221 may present various user interfaces related tofunctions provided by one or more modules of computing device 210 oranother feature of a computing platform, operating system, application,and/or service executing at or accessible from computing device 210(e.g., an electronic message application, Internet browser application,a mobile or desktop operating system, etc.).

One or more displays 223 may generally refer to any appropriate type ofdisplay device, such as a display associated with any type of computingdevice, such as a tablet, mobile phone, watch, or any other type ofwearable, non-wearable, mobile, or non-mobile computing device. Display223 may function as one or more output (e.g., display) devices usingtechnologies including liquid crystal displays (LCD), dot matrixdisplays, light emitting diode (LED) displays, organic light-emittingdiode (OLED) displays, e-ink, or similar monochrome or color displayscapable of generating tactile, audio, and/or visual output. Display 223may include a cathode ray tube (CRT) monitor, liquid crystal display(LCD), Light-Emitting Diode (LED) display, or any other type of displaydevice.

Display 223 may output information to a user in the form of a userinterface (e.g., as shown in FIG. 1A), which may be associated withfunctionality provided by computing device 210. Such user interfaces maybe associated with computing platforms, operating systems, applications,and/or services executing at or accessible from computing device 210(e.g., banking applications, electronic message applications, chatapplications, Internet browser applications, mobile or desktop operatingsystems, social media applications, electronic games, and other types ofapplications). For example, display 223 may present one or more userinterfaces which are graphical user interfaces of an applicationexecuting at computing device 210 including various graphical elementsdisplayed at various locations of display 223.

One or more presence-sensitive panels 225 may serve as an input device,and may detect an object, such as a finger or stylus, and determine alocation (e.g., an x and y coordinate) of the object relative to apanel. Presence-sensitive panel 225 may be implemented using a resistivetouchscreen or panel, a surface acoustic wave touchscreen or panel, acapacitive touchscreen or panel, a projective capacitance touchscreen orpanel, a pressure-sensitive panel, an acoustic pulse recognitiontouchscreen or panel, or any other presence-sensitive panel (PSP)technology now known or hereafter conceived. In some examples,presence-sensitive panel 225 may provide output to a user using tactile,haptic, audio, visual, or video stimuli. For example, presence-sensitivepanel 225 may be integrated into a display component (e.g., display223), so that presence-sensitive panel 225 serves as a touch-sensitivedisplay screen. In such an example, presence-sensitive panel 225 maydetermine the location of that portion of the surface of display 223selected by a stylus or a user's finger using capacitive, inductive,and/or optical recognition techniques. Based on such input,presence-sensitive panel 225 may output or update a graphical userinterface presented at display 223.

One or more audio input devices 227 may include audio detection devices,microphones, and/or audio sensors that detect voices, sounds, or otheraudio information. In some examples, audio input device 227 may beconfigured to detect primarily voices. Audio input device 227 mayinclude an audio or signal processing hardware or one or more audio orsignal processing modules. For example, an audio processor may performadjustments to sounds detected by audio input device 227 to improvesound quality or clarity, reduce or cancel background noise, isolatecertain frequencies, isolate certain sounds (e.g., human speech), or foranother purpose. An audio or signal processor associated with audioinput device 227 may encrypt sounds, audio information, or indicationsof audio information by applying a public or private encryption keypursuant to an encryption algorithm. Audio input device 227 may outputindications of audio input reflecting input detected by audio inputdevice 227.

One or more audio output devices 229 may operate to convert anelectrical signal into a corresponding sound. In some examples, audiooutput device 229 may comprise an electroacoustic transducer or aloudspeaker (or speaker), which may be housed in an enclosure configuredto enhance the quality of the sound. In other examples, audio outputdevice 229 may comprise a loudspeaker or speaker built into a housing ofcomputing device 210, or may comprise a loudspeaker or speaker builtinto a set of wired or wireless headphones that may be or may be capableof being operably coupled to computing device 210. In some examples,audio output device 229 may generate audio sounds associated with imagesor a video displayed on a display device associated with computingdevice 210.

One or more storage devices 230 within computing device 210 may storeinformation for processing during operation of computing device 210.Storage devices 230 may store program instructions and/or dataassociated with one or more of the modules described in accordance withone or more aspects of this disclosure. One or more processors 213 andone or more storage devices 230 may provide an operating environment orplatform for such modules, which may be implemented as software, but mayin some examples include any combination of hardware, firmware, andsoftware. One or more processors 213 may execute instructions and one ormore storage devices 230 may store instructions and/or data of one ormore modules. The combination of processors 213 and storage devices 230may retrieve, store, and/or execute the instructions and/or data of oneor more applications, modules, or software. Processors 213 and/orstorage devices 230 may also be operably coupled to one or more othersoftware and/or hardware components, including, but not limited to, oneor more of the components of computing device 210 and/or one or moredevices or systems illustrated as being connected to computing device210.

User interface module 231 may manage user interactions with userinterface device 221 and other components of computing device 210. Userinterface module 231 may cause user interface device 221 to outputvarious user interfaces for display or presentation or otherwise, as auser of computing device 210 views, hears, or otherwise senses outputand/or provides input at user interface device 221. User interfacedevice 221 may detect input, and may output to user interface module 231one or more indications of input as a user of computing device 210interacts with a user interface presented at user interface device 221.User interface module 231 and user interface device 221 may interpretinputs detected at user interface device 221 and may relay informationabout the inputs detected at user interface device 221 to one or moreassociated platforms, operating systems, applications, and/or servicesexecuting at computing device 210 to cause computing device 210 toperform one or more functions.

User interface module 231 may receive information and instructions froma platform, operating system, application, and/or service executing atcomputing device 210 and/or one or more remote computing systems. Inaddition, user interface module 231 may act as an intermediary between aplatform, operating system, application, and/or service executing atcomputing device 210 and various output devices of computing device 210(e.g., speakers, LED indicators, audio or electrostatic haptic outputdevices, light emitting technologies, displays, etc.) to produce output(e.g., a graphic, a flash of light, a sound, a haptic response, etc.).

Authentication module 232 may perform functions relating toauthenticating computing device 210 with other systems, such ascomputing system 240. Authentication module 232 may receive informationsufficient to generate a user interface, and authentication module 232may cause user interface module 231 to present a visual user interface(e.g., user interface 114) at display 223 or, alternatively, output anaudio voice-prompt user interface through audio output device 229.Authentication module 232 may determine that input detected by userinterface device 221 corresponds to authentication credentials (e.g., ausername and password or audio of a spoken passphrase), andauthentication module 232 may cause communication unit 215 tocommunicate information about such authentication credentials overnetwork 201. Authentication module 232 may also interact with IVR system170, by, for example, causing computing device 210 to place a phone callto IVR system 170 over network 201 or network 203. During such a call,authentication module 232 may output DTMF codes corresponding to adevice identifier and/or a passcode to IVR system 170 in an attempt toidentify computing device 210 or authenticate a user of computing device210.

One or more application modules 239 may represent some or all of theother various individual applications and/or services executing at andaccessible from computing device 210. A user of computing device 210 mayinteract with a user interface (e.g., visual, graphical, or voice-promptuser interface) associated with one or more application modules 239 tocause computing device 210 to perform a function. Numerous examples ofapplication modules 239 may exist and may include banking applications,financial record-keeping applications, financial services applications,web browsing, search, communication, and shopping applications, and anyand all other applications that may execute at computing device 210.

Modules illustrated in FIG. 2 (e.g., user interface module 231,authentication module 232, application modules 239, authenticationmodule 252, enrollment module 254, banking module 258) and/orillustrated or described elsewhere in this disclosure may performoperations described using software, hardware, firmware, or a mixture ofhardware, software, and firmware residing in and/or executing at one ormore computing devices. For example, a computing device may execute oneor more of such modules with multiple processors or multiple devices. Acomputing device may execute one or more of such modules as a virtualmachine executing on underlying hardware. One or more of such modulesmay execute as one or more services of an operating system or computingplatform. One or more of such modules may execute as one or moreexecutable programs at an application layer of a computing platform. Inother examples, functionality provided by a module could be implementedby a dedicated hardware device. Although certain modules, data stores,components, programs, executables, data items, functional units, and/orother items included within one or more storage devices may beillustrated separately, one or more of such items could be combined andoperate as a single module, component, program, executable, data item,or functional unit. For example, one or more modules or data stores maybe combined or partially combined so that they operate or providefunctionality as a single module. Further, one or more modules mayinteract with and/or operate in conjunction with one another so that,for example, one module acts as a service or an extension of anothermodule. Also, each module, data store, component, program, executable,data item, functional unit, or other item illustrated within a storagedevice may include multiple components, sub-components, modules,sub-modules, data stores, and/or other components or modules or datastores not illustrated. Further, each module, data store, component,program, executable, data item, functional unit, or other itemillustrated within a storage device may be implemented in various ways.For example, each module, data store, component, program, executable,data item, functional unit, or other item illustrated within a storagedevice may be implemented as a downloadable or pre-installed applicationor “app.” In other examples, each module, data store, component,program, executable, data item, functional unit, or other itemillustrated within a storage device may be implemented as part of anoperating system executed on a computing device.

In the example of FIG. 2, and in accordance with one or more aspects ofthe present disclosure, computing system 240 may authenticate a user ofcomputing device 210. For instance, in an example that can be describedin connection with FIG. 2, presence-sensitive panel 225 of computingdevice 210 detects input. Presence-sensitive panel 225 outputs to userinterface module 231 an indication of input. User interface module 231determines that the input includes a number of taps, gestures, ortouch-screen interactions that correspond to a request to interact withcomputing system 240. User interface module 231 causes display 223 topresent a user interface (e.g., user interface 112 of FIG. 1A),prompting a user of computing device 110 to present authenticationcredentials. Presence-sensitive panel 225 detects further input andoutputs to user interface module 231 an indication of input. Userinterface module 231 outputs to authentication module 232 informationabout the input. Authentication module 232 determines that the inputcorresponds to a username and password. Authentication module 232 causescommunication unit 215 to output a signal over network 201.Communication unit 245 of computing system 240 detects a signal, andoutputs to authentication module 252 an indication of the signal.Authentication module 252 determines that the signal includesauthentication credentials for a user of computing device 210.Authentication module 252 further identifies the user, and determinesthat the user of computing device 210 has entered a valid username andpassword combination. Authentication module 252 may cause communicationunit 245 to further communicate with computing device 210 over network201 and establish a session with computing device 210 operated by theuser.

Computing system 240 may provide to computing device 210 instructionsfor establishing a voice authentication credential for a user ofcomputing device 210. For instance, in the example being described, andwith reference to FIG. 2, enrollment module 254 determines that theauthenticated user of computing device 210 is a candidate forestablishing a voice authentication credential, and/or is being offeredthe opportunity to establish a voice authentication credential.Enrollment module 254 causes communication unit 245 to output a signalover network 201. Communication unit 215 of computing device 210 detectsa signal over network 201 and outputs an indication of the signal toauthentication module 232. Authentication module 232 determines that thesignal corresponds to information sufficient to generate a userinterface. Authentication module 232 causes user interface module 231 topresent a user interface (e.g., user interface 114 of FIG. 1A) atdisplay 223. Presence-sensitive panel 225 detects input thatauthentication module 232 determines corresponds to a user selectingbutton 115. Authentication module 232 causes communication unit 215 tooutput a signal over network 201.

Communication unit 245 of computing system 240 detects a signal andoutputs to enrollment module 254 an indication of the signal. Enrollmentmodule 254 determines that the signal corresponds to a request toestablish a voice authentication credential. In response, enrollmentmodule 254 generates and stores session data 256 associated withcomputing device 210. Session data 256 may include a device identifierassociated with or identifying computing device 210, a passcodeassociated with the session with computing device 210, and a phonenumber that computing device 210 may use to contact IVR system 170.Enrollment module 254 causes communication unit 245 to output a signalover network 201. Communication unit 215 of computing device 210 detectsa signal over network 201, and outputs to authentication module 232 anindication of the signal. Authentication module 232 determines that thesignal includes instructions, including a phone number and a one-timepasscode.

Computing device 210 may use the instructions to interact with IVRsystem 170 as an authenticated user. For instance, in the example beingdescribed, and with reference to FIG. 2, authentication module 232causes communication unit 215 to initiate a phone call to IVR system 170over voice-oriented network 203. In some examples, computing device 210initiates the phone call to IVR system 170 over voice-oriented network203 (used for voice calls), rather than over network 201 (used for datacommunications). In other examples, however, computing device 210 mayinitiate the phone call to IVR system 170 over a different network, suchas network 201. In the described example, IVR system 170 receives anindication of the call from computing device 210, and thereaftercommunicates with computing device 210 over voice-oriented network 203.Communication unit 215 of computing device 210 sends, overvoice-oriented network 203, to IVR system 170, the device identifier andthe one-time passcode received from computing system 240. IVR system 170receives the information from computing device 210, and in response,outputs a signal over network 201. Communication unit 245 of computingsystem 240 detects a signal and outputs to enrollment module 254 anindication of the signal. Enrollment module 254 determines that thesignal includes a device identifier and a one-time passcode. Enrollmentmodule 254 compares the device identifier and the one-time passcode tothe previously-stored session data 256 associated with computing device210. Enrollment module 254 determines that the device identifier and theone-time passcode matches and/or is consistent with session data 256.Enrollment module 254 causes communication unit 245 to output a signalover network 201. IVR system 170 detects a signal and determines thatthe signal is indicates that computing system 240 has determined thatthe user operating computing device 210 is an authenticated user.

Voice biometric services system 180 may create voiceprint 182 for theauthenticated user of computing device 210. For instance, in the examplebeing described, and still referring to FIG. 2, IVR system 170 outputs asignal over network 201. Communication unit 215 of computing device 210detects a signal and outputs an indication of the signal toauthentication module 232. Authentication module 232 determines that thesignal includes information sufficient to generate a voice prompt.Authentication module 232 causes audio output device 229 to outputaudio, which in some examples, may be a user prompt such as “Toestablish a voice authentication credential, please say ‘my voice is mypassword.’ Audio input device 227 detects input and outputs to userinterface module 231 an indication of input. User interface module 231outputs to authentication module 232 information about the input.Authentication module 232 determines that the input corresponds to audioinput in response to the user prompt output by audio output device 229.Authentication module 232 causes communication unit 215 to output asignal over network 201. IVR system 170 detects a signal and determinesthat the signal includes audio input from a user of computing device110. IVR system 170 communicates to voice biometric services system 180information about the audio input. IVR system 170 may furthercommunicate with computing device 210 and receive from computing device210 further audio input. IVR system 170 may communicate to voicebiometric services system 180 information about any additional audioinput. Voice biometric services system 180 may determine that the audioinput is sufficient to create voiceprint 182 associated with computingdevice 210. Voice biometric services system 180 stores voiceprint 182within voiceprint data store 181. In some examples, a device identifierfor computing device 210 is associated with or stored with voiceprint182.

Once voiceprint 182 has been established, computing device 210 maythereafter communicate a spoken passphrase to voice biometric servicessystem 180 for authentication, thereby enabling access to other systems,such as banking system 190 (see, e.g., FIG. 1B). For instance, in theexample being described, and still referring to FIG. 2,presence-sensitive panel 225 of computing device 210 detects input thatauthentication module 232 determines corresponds to a request tointeract with computing system 240. Authentication module 232 causesuser interface module 231 to present a user interface, through userinterface device 221, prompting the user of computing device 110 toinput authentication credentials. In some examples, user interfacemodule 231 causes display 223 to present a visual user interface (e.g.,user interface 119 of FIG. 1B) prompting the user of computing device210 to speak a passphrase. In other examples, user interface module 231causes audio output device 229 of user interface device 221 to output anaudio sound (e.g., “please say ‘my voice is my password’”), promptingthe user to speak the specified passphrase. Audio input device 227 ofuser interface device 221 detects input and outputs to user interfacemodule 231 an indication of input. User interface module 231 outputs toauthentication module 232 information about the input. Authenticationmodule 232 determines that the input corresponds to a response to theprompt to speak a passphrase. Authentication module 232 causescommunication unit 215 to output a signal over network 201.Communication unit 245 of computing system 240 detects input and outputsto authentication module 252 an indication of input. Authenticationmodule 252 determines that the input corresponds to an audio passphrasefrom a user of computing device 210. Authentication module 252 causescommunication unit 245 to output a signal over network 201. Voicebiometric services system 180 detects the signal and determines that itcorresponds to a spoken passphrase uttered by a user of computing device210. In some examples, voice biometric services system 180 may determinethat the signal further includes a device identifier associated withcomputing device 210.

Voice biometric services system 180 may authenticate the user ofcomputing device 210 based on the passphrase. For instance, continuingwith the same example, voice biometric services system 180 compares theinformation received from computing system 240 to voiceprint 182, anddetermines that the information from computing system 240 is sufficientto authenticate the user of computing device 210. For example, voicebiometric services system 180 may compare a spoken passphrase and fromcomputing system 240 to voiceprint 182. Voice biometric services system180 may also compare a device identifier from computing system 240 to adevice identifier associated with and/or stored with voiceprint 182 invoiceprint data store 181. Voice biometric services system 180 maydetermine that the voiceprint and device identifier sufficiently matchesvoiceprint 182 and any previously-stored device identifier.

In response, voice biometric services system 180 outputs a signal overnetwork 201. Communication unit 245 of computing system 240 detects asignal and outputs an indication of the signal to authentication module252. Authentication module 252 determines that the signal indicates thatvoice biometric services system 180 has authenticated the user ofcomputing device 210. Authentication module 252 causes communicationunit 245 to output a signal over network 201. Communication unit 215 ofcomputing device 210 detects a signal and outputs to authenticationmodule 232 an indication of a signal. Authentication module 232determines that the signal corresponds to confirmation that the user ofcomputing device 210 has been authenticated. Computing device 210 andcomputing system 240 may further communicate and establish anauthenticated session. Computing system 240 may, in response to inputreceived over network 201 from computing device 210, perform services onbehalf of the authenticated user of computing device 210 during theauthenticated session. In some examples, services performed by computingsystem 240 may invoke banking services, which may be performed bybanking module 258 of computing system 240.

In some examples, voice biometric services system 180 may analyze audiodata received from computing device 210 in an attempt to ensure thataudio data received from computing device 210 is a live utterance,rather than a recording of a previous utterance. For instance, one wayin which an unauthorized user may attempt to defeat a voiceauthentication system is to record a passphrase utterance made by anauthorized user, and then later replay that recorded utterance inresponse to a prompt to say a passphrase. Accordingly, voice biometricservices system 180 may, in some examples, attempt to determine whetheraudio data received from computing device 210 exhibits characteristicsconsistent with a recording or a reproduction of a previously-utteredpassphrase. In some examples, certain pops or other artifacts ofrecorded audio may be present in audio data generated from a recording,and can be used to make such a determination.

If voice biometric services system 180 suspects that audio received fromcomputing device 210 is a recorded passphrase, voice biometric servicessystem 180 may output, over network 201, a request for additionalinformation. Authentication module 252 of computing system 240 mayreceive an indication of the request, and output a signal over network201. Communication unit 215 of computing device 210 may detect thesignal and output to authentication module 232 an indication of thesignal. Authentication module 232 may determine that the signalcorresponds to information sufficient to generate a user interface.Authentication module 232 may cause user interface device 221 to outputan audio and/or visual user interface, prompting a user of computingdevice 210 to utter a secondary passphrase. The secondary passphrase maybe one of a defined set of alternative passphrases. User interfacedevice 221 may detect input that authentication module 232 determinescorresponds to a response to the prompt. In response, authenticationmodule 232 may cause communication unit 215 to output a signal overnetwork 201. Authentication module 252 of computing system 240 mayreceive an indication of the signal, and output to voice biometricservices system 180 information about the signal. Voice biometricservices system 180 may determine that the signal corresponds to audiodata for a spoken alternative passphrase. Voice biometric servicessystem 180 may evaluate the audio data and either authenticate the userof computing device 210, deny access, request additional information, orperform another action.

In some examples described herein in connection with FIG. 2, voicebiometric services system 180 is described as communicating withcomputing device 210 through computing system 240. In other examples,voice biometric services system 180 may, in some situations, communicatewith computing device 210 directly, or through other devices.

FIG. 3 is a flow diagram illustrating operations performed by an examplecomputing system in accordance with one or more aspects of the presentdisclosure. FIG. 3 is described below within the context of computingsystem 240 of FIG. 2. In other examples, operations described in FIG. 3may be performed by one or more other components, modules, systems, ordevices. Further, in other examples, operations described in connectionwith FIG. 3 may be merged, performed in a difference sequence, oromitted.

In the example of FIG. 3, and in accordance with one or more aspects ofthe present disclosure, computing system 240 may communicate with acomputing device over a network (301). For instance, in some examples,communication unit 245 of computing system 240 detects a signal, anddetermines that the signal corresponds to a communication from computingdevice 210 over network 201.

Computing system 240 may authenticate, based on the communications withthe computing device, a user operating the computing device (302). Forinstance, in some examples, authentication module 252 determines thatthe signal includes authentication credentials for a user of computingdevice 210. Authentication module 252 determines, based on theauthentication credentials, that the user of computing device 210 is aknown user who has entered a valid username and password combination.Authentication module 252 may cause communication unit 245 to furthercommunicate with computing device 210 over network 201 and establish asession with the authenticated user of computing device 210.

Computing system 240 may store session data associated with thecomputing device (303). For instance, in some examples, communicationunit 245 of computing system 240 detects a signal and outputs toenrollment module 254 an indication of the signal. Enrollment module 254determines that the signal corresponds to a request to establish a voiceauthentication credential from computing device 210. In response,enrollment module 254 generates and stores session data 256 associatedwith computing device 210.

Computing system 240 may output, to the computing device, instructionsfor communicating with an interactive voice response (IVR) system (304).For instance, in some examples, enrollment module 254 causescommunication unit 245 to output a signal over network 201.Communication unit 215 of computing device 210 detects a signal overnetwork 201, and outputs to authentication module 232 an indication ofthe signal. Authentication module 232 determines that the signalincludes a phone number and a one-time passcode.

Computing system 240 may receive, from the IVR system, information(305). For instance, in some examples, communication unit 245 ofcomputing system 240 detects a signal and outputs to enrollment module254 an indication of the signal. Enrollment module 254 determines thatthe signal includes a device identifier and a one-time passcode from IVRsystem 170.

Computing system 240 may determine, based on the information and thestored session data, that the computing device has contacted the IVRsystem using the instructions (306). For instance, in some examples,enrollment module 254 compares the device identifier and the one-timepasscode received from IVR system 170 to information included in thepreviously-stored session data 256 associated with computing device 210.

If computing system 240 determines that the computing device hascontacted the IVR system (YES branch of 306), computing system 240 mayenable the IVR system 170 to establish a voice authentication credentialfor the user of the computing device (307). For instance, in someexamples, enrollment module 254 determines that the device identifierand the one-time passcode matches and/or is consistent with session data256. Enrollment module 254 causes communication unit 245 to output asignal over network 201. IVR system 170 detects a signal and determinesthat the signal indicates that computing system 240 has determined thatthe user operating computing device 210 is an authenticated useroperating the same computing device 110 for which session data 256 waspreviously stored. If computing system 240 determines that theappropriate computing device has not been shown to contact the IVRsystem (NO branch of 306), computing system 240 may deny access tofunctionality of IVR system 170 that creates voice authenticationcredentials (308).

Aspects of the present disclosure relating to IVR systems and relatedsystems are further described in the following references, each of whichis hereby fully incorporated by reference: U.S. patent application Ser.No. 15/385,484, filed Dec. 20, 2016, U.S. patent application Ser. No.15/385,526, filed Dec. 20, 2016, and U.S. Provisional Patent ApplicationNo. 62/399,287 filed on Sep. 23, 2016.

For processes, apparatuses, and other examples or illustrationsdescribed herein, including in any flowcharts or flow diagrams, certainoperations, acts, steps, or events included in any of the techniquesdescribed herein can be performed in a different sequence, may be added,merged, or left out altogether (e.g., not all described acts or eventsare necessary for the practice of the techniques). Moreover, in certainexamples, operations, acts, steps, or events may be performedconcurrently, e.g., through multi-threaded processing, interruptprocessing, or multiple processors, rather than sequentially. Furthercertain operations, acts, steps, or events may be performedautomatically even if not specifically identified as being performedautomatically. Also, certain operations, acts, steps, or eventsdescribed as being performed automatically may be alternatively notperformed automatically, but rather, such operations, acts, steps, orevents may be, in some examples, performed in response to input oranother event.

In one or more examples, the functions described may be implemented inhardware, software, firmware, or any combination thereof. If implementedin software, the functions may be stored, as one or more instructions orcode, on and/or transmitted over a computer-readable medium and executedby a hardware-based processing unit. Computer-readable media may includecomputer-readable storage media, which corresponds to a tangible mediumsuch as data storage media, or communication media including any mediumthat facilitates transfer of a computer program from one place toanother (e.g., pursuant to a communication protocol). In this manner,computer-readable media generally may correspond to (1) tangiblecomputer-readable storage media, which is non-transitory or (2) acommunication medium such as a signal or carrier wave. Data storagemedia may be any available media that can be accessed by one or morecomputers or one or more processors to retrieve instructions, codeand/or data structures for implementation of the techniques described inthis disclosure. A computer program product may include acomputer-readable medium.

By way of example, and not limitation, such computer-readable storagemedia can include RAM, ROM, EEPROM, CD-ROM or other optical diskstorage, magnetic disk storage, or other magnetic storage devices, flashmemory, or any other medium that can be used to store desired programcode in the form of instructions or data structures and that can beaccessed by a computer. Also, any connection is properly termed acomputer-readable medium. For example, if instructions are transmittedfrom a website, server, or other remote source using a coaxial cable,fiber optic cable, twisted pair, digital subscriber line (DSL), orwireless technologies such as infrared, radio, and microwave, then thecoaxial cable, fiber optic cable, twisted pair, DSL, or wirelesstechnologies such as infrared, radio, and microwave are included in thedefinition of medium. It should be understood, however, thatcomputer-readable storage media and data storage media do not includeconnections, carrier waves, signals, or other transient media, but areinstead directed to non-transient, tangible storage media. Disk anddisc, as used, includes compact disc (CD), laser disc, optical disc,digital versatile disc (DVD), floppy disk and Blu-ray disc, where disksusually reproduce data magnetically, while discs reproduce dataoptically with lasers. Combinations of the above should also be includedwithin the scope of computer-readable media.

Instructions may be executed by one or more processors, such as one ormore digital signal processors (DSPs), general purpose microprocessors,application specific integrated circuits (ASICs), field programmablelogic arrays (FPGAs), or other equivalent integrated or discrete logiccircuitry. Accordingly, the terms “processor” or “processing circuitry”as used herein may each refer to any of the foregoing structure or anyother structure suitable for implementation of the techniques described.In addition, in some examples, the functionality described may beprovided within dedicated hardware and/or software modules. Also, thetechniques could be fully implemented in one or more circuits or logicelements.

The techniques of this disclosure may be implemented in a wide varietyof devices or apparatuses, including a wireless handset, a mobile ornon-mobile computing device, a wearable or non-wearable computingdevice, an integrated circuit (IC) or a set of ICs (e.g., a chip set).Various components, modules, or units are described in this disclosureto emphasize functional aspects of devices configured to perform thedisclosed techniques, but do not necessarily require realization bydifferent hardware units. Rather, as described above, various units maybe combined in a hardware unit or provided by a collection ofinteroperating hardware units, including one or more processors asdescribed above, in conjunction with suitable software and/or firmware.

What is claimed is:
 1. A method comprising: outputting, by a mobiledevice and over a network to a computing system, information thatincludes authentication information and a request to establish a voiceauthentication credential for a user operating the mobile device;enabling the computing system to determine, based on the authenticationinformation, that the mobile device is operated by an authorized user;receiving, by the mobile device over the network, instructions forcommunicating with an interactive voice response (IVR) system;establishing, by the mobile device and based on the instructions,communications with the IVR system over the network; enabling the IVRsystem to verify, based on the communications, that the mobile devicepreviously output the request to establish a voice authenticationcredential; detecting, by the mobile device, audio data; outputting, bythe mobile device and over the network to the IVR system, informationabout the audio data; enabling the IVR system to create a voiceprintbased on the audio data and communicate the voiceprint to the computingsystem for use as an authentication credential; detecting, by the mobiledevice and after enabling the IVR system to communicate the voiceprintto the computing system for use as an authentication credential, audioauthentication information; outputting, by the mobile device and overthe network to the computing system, information about the audioauthentication information; and enabling the computing system toauthenticate the mobile device without interacting with the IVR systemand based on the audio authentication information.
 2. The method ofclaim 1, wherein receiving instructions for communicating with the IVRsystem includes: receiving a phone number at which the IVR can becontacted.
 3. The method of claim 2, wherein receiving instructions forcommunicating with the IVR system further includes: receiving a passcodegenerated by the computing system in response to the request toestablish the voice authentication credential.
 4. The method of claim 3,wherein the passcode has an expiration timeframe, and whereinestablishing communications with the IVR system further includes:enabling the IVR system to verify that the passcode has not expired. 5.The method of claim 3, wherein establishing communications with the IVRsystem includes: establishing communications with the IVR system byplacing a call to the IVR system at the phone number, wherein placingthe call to the IVR system is performed by the mobile device withoutrequiring further input from the user.
 6. The method of claim 5, whereinestablishing communications with the IVR system further includes:outputting the passcode over the network to the IVR system during thecall using dual tone multi frequency tones.
 7. The method of claim 5,wherein the authentication information includes a device identifierassociated with the mobile device, and wherein establishingcommunications with the IVR system further includes: outputting thedevice identifier and the passcode over the network to the IVR systemduring the call using dual tone multi frequency tones.
 8. The method ofclaim 1, wherein enabling the IVR system to verify that the mobiledevice previously output the request to establish a voice authenticationcredential includes: enabling the IVR system to communicate with thecomputing system.
 9. The method of claim 1, wherein detecting audio dataincludes: outputting, by the mobile device, a user interface promptingthe user to utter a phrase.
 10. A mobile device comprising a storagesystem and processing circuitry, wherein the processing circuitry hasaccess to the storage system and is configured to: output, over anetwork to a computing system, information that includes authenticationinformation and a request to establish a voice authentication credentialfor a user operating the mobile device; enable the computing system todetermine, based on the authentication information, that the mobiledevice is operated by an authorized user; receive, over the network,instructions for communicating with an interactive voice response (IVR)system, wherein the instructions include a phone number at which the IVRcan be contacted and a passcode generated by the computing system inresponse to the request to establish the voice authenticationcredential; establish, based on the instructions, communications withthe IVR system over the network; enable the IVR system to verify, basedon the communications, that the mobile device that establishedcommunications with the IVR system previously output the request toestablish a voice authentication credential; detect audio data; output,over the network to the IVR system, information about the audio data;and enable the IVR system to create a voiceprint based on the audio dataand communicate the voiceprint to the computing system for use as anauthentication credential.
 11. The mobile device of claim 10, whereinthe processing circuitry is further configured to: detect, afterenabling the IVR system to communicate the voiceprint to the computingsystem for use as an authentication credential, audio authenticationinformation; output, over the network to the computing system,information about the audio authentication information; and enable thecomputing system to authenticate the mobile device without interactingwith the IVR system and based on the audio authentication information.12. The mobile device of claim 10, wherein the passcode has anexpiration timeframe, and wherein to establish communications with theIVR system, the processing circuitry is further configured to: enablethe IVR system to verify that the passcode has not expired.
 13. Themobile device of claim 10, wherein to establish communications with theIVR system, the processing circuitry is further configured to: establishcommunications with the IVR system by placing a call to the IVR systemat the phone number, wherein placing the call to the IVR system isperformed by the mobile device without requiring further input from theuser.
 14. The mobile device of claim 13, wherein to establishcommunications with the IVR system, the processing circuitry is furtherconfigured to: output the passcode over the network to the IVR systemduring the call using dual tone multi frequency tones.
 15. The mobiledevice of claim 13, wherein the authentication information includes adevice identifier associated with the mobile device, and wherein toestablish communications with the IVR system, the processing circuitryis further configured to: output the device identifier and the passcodeover the network to the IVR system during the call using dual tone multifrequency tones.
 16. The mobile device of claim 10, wherein to enablethe IVR system to verify that the mobile device previously output therequest to establish a voice authentication credential, the processingcircuitry is further configured to: enable the IVR system to communicatewith the computing system.
 17. A non-transitory computer-readablestorage medium comprising instructions that, when executed, configureprocessing circuitry of a mobile device to: output, over a network to acomputing system, information that includes authentication informationand a request to establish a voice authentication credential for a useroperating the mobile device; enable the computing system to determine,based on the authentication information, that the mobile device isoperated by an authorized user; receive, over the network, instructionsfor communicating with an interactive voice response (IVR) system,wherein the instructions include a phone number at which the IVR can becontacted and a passcode generated by the computing system in responseto the request to establish the voice authentication credential;establish, based on the instructions, communications with the IVR systemover the network; enable the IVR system to verify, based on thecommunications, that the mobile device that established communicationswith the IVR system previously output the request to establish a voiceauthentication credential; detect audio data; output, over the networkto the IVR system, information about the audio data; and enable the IVRsystem to create a voiceprint based on the audio data and communicatethe voiceprint to the computing system for use as an authenticationcredential.